Today’s HR departments are faced with many challenges when it comes to selecting the correct candidate for an open position. Beyond the ubiquitous background checks, knowledge assessment and checking references, HR needs to take other factors into consideration to select the best candidate. Nowhere is this truer than in organizations looking to hire knowledge workers, especially those that may interact with intellectual property or proprietary data.
After all, data is the life blood of today’s businesses, and protecting that data from intentional and unintentional compromise has become a priority for any connected business. Nonetheless, information security starts with people, more specifically employees.
In the past, the chore of securing data was left to IT, which focused on firewalls, anti-phishing technologies and policy violations to keep the bad guys out and data leakage at bay. However, some of the efforts of IT proved moot, and data still escaped the enterprise, highlighting an important chink in the armor of data protection – those who actually interact with the data.
In other words, data leakage, virus outbreaks, successful phishing attacks, and all sorts of malware, was mostly due to employee mistakes.
Information Security Interview Questions
Avoiding those problems means properly vetting new hires with some information security centric questions.
- First and foremost, HR should find out what the candidate’s experience is with secure systems. In other words, has the candidate had business orientated computer security training that outlines proper and acceptable use?
- Does the candidate understand the concept of data leakage? In other words, can the candidate explain how data may unintentionally be exposed to outsiders via email, file sharing, printouts and so forth.
- Can the candidate identify what is considered sensitive information? Examples include social security numbers, credit card numbers, and customer addresses.
- Is the candidate aware how critical it is to use complex passwords and not share account information with anyone else?
- Does the candidate understand what a phishing attack is?
- Can the candidate differentiate between spam and legitimate email?
The above questions can help to determine the level of IT security knowledge a candidate has, but should only be considered a starting point during the hiring process. Ultimately, HR should work closely with IT to create a test that the potential employee can take. That test should include the basic security questions, along with security questions that are critical to the enterprise (such as practices required by compliance legislation). HR should also expose the potential candidate to all of the security policies in use and validate that the employee will take responsibility for following the established practices.
Prevent Information Security Problems Before They Start
Ignorance is no longer an acceptable defense against issues found during security audits, especially with those businesses that have to follow compliance regulations, such as HIPPA, SOX, and PCI. Those regulatory requirements can encompass much of a business’s operations and cannot be ignored, meaning that policy enforcement must start at the foundation of employee (and contractor) interaction.
Simply put, HR must be prepared to nip potential information security problems in the bud by only hiring those that have the necessary knowledge to prevent data compromise caused by their own actions.
This blog is Part 2 in a series. Read Part 1 about IT security.
Looking to hire infosec aware employees?
We’re proud to connect companies with top notch IT talent. Contact one of our 60 offices across the United States to get started in finding the right candidates!